When to_char() processes a numeric
formatting template calling for a large number of digits,
PostgreSQL would read past the end
of a buffer. When processing a crafted timestamp formatting
template, PostgreSQL would write
past the end of a buffer. Either case could crash the server. We
have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
(CVE-2015-0241)

Fix buffer overrun in replacement *printf() functions (Tom Lane)

PostgreSQL includes a
replacement implementation of printf
and related functions. This code will overrun a stack buffer when
formatting a floating point number (conversion specifiers
e, E, f, F, g or G) with requested
precision greater than about 500. This will crash the server, and
we have not ruled out the possibility of attacks that lead to
privilege escalation. A database user can trigger such a buffer
overrun through the to_char() SQL
function. While that is the only affected core PostgreSQL functionality, extension modules
that use printf-family functions may be at risk as well.

This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of
these functions where adequate, which it is on other modern
platforms. (CVE-2015-0242)

Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)

Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and
improper dependence on the contents of uninitialized memory. The
buffer overrun cases can crash the server, and we have not ruled
out the possibility of attacks that lead to privilege escalation.
(CVE-2015-0243)

If any error occurred while the server was in the middle of
reading a protocol message from the client, it could lose
synchronization and incorrectly try to interpret part of the
message's data as a new protocol message. An attacker able to
submit crafted binary data within a command parameter might succeed
in injecting his own SQL commands this way. Statement timeout and
query cancellation are the most likely sources of errors triggering
this scenario. Particularly vulnerable are applications that use a
timeout and also submit arbitrary user-crafted data as binary query
parameters. Disabling statement timeout will reduce, but not
eliminate, the risk of exploit. Our thanks to Emil Lenngren for
reporting this issue. (CVE-2015-0244)

Some server error messages show the values of columns that
violate a constraint, such as a unique constraint. If the user does
not have SELECT privilege on all columns
of the table, this could mean exposing values that the user should
not be able to see. Adjust the code so that values are displayed
only when they came from the SQL command or could be selected by
the user. (CVE-2014-8161)

Use SSPI authentication to allow connections only from the OS
user who launched the test suite. This closes on Windows the same
vulnerability previously closed on other platforms, namely that
other users might be able to connect to the test postmaster.
(CVE-2014-0067)

Avoid possible data corruption if ALTER
DATABASE SET TABLESPACE is used to move a database to a new
tablespace and then shortly later move it back to its original
tablespace (Tom Lane)

If the failing transaction had earlier removed the last index,
rule, or trigger from the table, the table would be left in a
corrupted state with the relevant pg_class flags not set though they should be.

Fix DROP's dependency searching to
correctly handle the case where a table column is recursively
visited before its table (Petr Jelinek, Tom Lane)

This case is only known to arise when an extension creates both
a datatype and a table using that datatype. The faulty code might
refuse a DROP EXTENSION unless CASCADE is specified, which should not be
required.

In READ COMMITTED mode, queries that
lock or update recently-updated rows could crash as a result of
this bug.

Fix planning of SELECT FOR UPDATE when
using a partial index on a child table (Kyotaro Horiguchi)

In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial
index's WHERE condition when rechecking a
recently-updated row to see if it still satisfies the query's
WHERE condition. This requirement was
missed if the index belonged to an inheritance child table, so that
it was possible to incorrectly return rows that no longer satisfy
the query condition.

This restriction is per SQL standard. Previously we did not
reject the case explicitly, but later on the code would fail with
bizarre-looking errors.

Fix bugs in raising a numeric value to a
large integral power (Tom Lane)

The previous code could get a wrong answer, or consume excessive
amounts of time and memory before realizing that the answer must
overflow.

In numeric_recv(), truncate away
any fractional digits that would be hidden according to the value's
dscale field (Tom Lane)

A numeric value's display scale
(dscale) should never be less than the
number of nonzero fractional digits; but apparently there's at
least one broken client application that transmits binary
numeric values in which that's true. This
leads to strange behavior since the extra digits are taken into
account by arithmetic operations even though they aren't printed.
The least risky fix seems to be to truncate away such "hidden" digits on receipt, so that the value is
indeed what it prints as.

Reject out-of-range numeric timezone specifications (Tom
Lane)

Simple numeric timezone specifications exceeding +/- 168 hours
(one week) would be accepted, but could then cause null-pointer
dereference crashes in certain operations. There's no use-case for
such large UTC offsets, so reject them.

Fix bugs in tsquery@>tsquery operator (Heikki
Linnakangas)

Two different terms would be considered to match if they had the
same CRC. Also, if the second operand had more terms than the
first, it would be assumed not to be contained in the first; which
is wrong since it might contain duplicate terms.

The previous coding could crash on an oversize dictionary, so
this was deemed a back-patchable bug fix rather than a feature
addition.

Fix namespace handling in xpath()
(Ali Akbar)

Previously, the xml value resulting from
an xpath() call would not have
namespace declarations if the namespace declarations were attached
to an ancestor element in the input xml
value, rather than to the specific element being returned.
Propagate the ancestral declaration so that the result is correct
when considered in isolation.

The previous behavior resulted in basically ignoring these
per-table settings, which was unintended. Now, a table having such
settings will be vacuumed using those settings, independently of
what is going on in other autovacuum workers. This may result in
heavier total I/O load than before, so such settings should be
re-examined for sanity.

Avoid wholesale autovacuuming when autovacuum is nominally off
(Tom Lane)

Even when autovacuum is nominally off, we will still launch
autovacuum worker processes to vacuum tables that are at risk of
XID wraparound. However, such a worker process then proceeded to
vacuum all tables in the target database, if they met the usual
thresholds for autovacuuming. This is at best pretty unexpected; at
worst it delays response to the wraparound threat. Fix it so that
if autovacuum is turned off, workers only do anti-wraparound vacuums and
not any other work.

During crash recovery, ensure that unlogged relations are
rewritten as empty and are synced to disk before recovery is
considered complete (Abhijit Menon-Sen, Andres Freund)

Fix possible null pointer dereference when an empty prepared
statement is used and the log_statement
setting is mod or ddl (Fujii Masao)

Change "pgstat wait timeout" warning
message to be LOG level, and rephrase it to be more understandable
(Tom Lane)

This message was originally thought to be essentially a
can't-happen case, but it occurs often enough on our slower
buildfarm members to be a nuisance. Reduce it to LOG level, and
expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because
stats collector is not responding".

Fix SPARC spinlock implementation to ensure correctness if the
CPU is being run in a non-TSO coherency mode, as some non-Solaris
kernels do (Andres Freund)

When using libedit rather than readline, \s printed the command history in a fairly
unreadable encoded format, and on recent libedit versions might
fail altogether. Fix that by printing the history ourselves rather
than having the library do it. A pleasant side-effect is that the
pager is used if appropriate.

This patch also fixes a bug that caused newline encoding to be
applied inconsistently when saving the command history with
libedit. Multiline history entries written by older psql versions will be read cleanly with this
patch, but perhaps not vice versa, depending on the exact libedit
versions involved.

Improve consistency of parsing of psql's special variables (Tom Lane)

Allow variant spellings of on and
off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized
values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN,
HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these
variables case-insensitively; previously there was a mishmash of
case-sensitive and case-insensitive behaviors.

Fix psql's expanded-mode
display to work consistently when using border = 3 and linestyle =
ascii or unicode
(Stephen Frost)

Improve performance of pg_dump
when the database contains many instances of multiple dependency
paths between the same two objects (Tom Lane)

The previous over-conservative marking was immaterial in normal
use, but could cause optimization problems or rejection of valid
index expression definitions. Since the consequences are not large,
we've just adjusted the function definitions in the extension
modules' scripts, without changing version numbers.

These changes are mostly cosmetic but in some cases fix
corner-case bugs, for example a crash rather than a proper error
report after an out-of-memory failure. None are believed to
represent security issues.

Detect incompatible OpenLDAP versions during build (Noah
Misch)

With OpenLDAP versions 2.4.24 through 2.4.31, inclusive,
PostgreSQL backends can crash at
exit. Raise a warning during configure based on the compile-time OpenLDAP
version number, and test the crashing scenario in the contrib/dblink regression test.

Make pg_regress remove any
temporary installation it created upon successful exit (Tom
Lane)

This results in a very substantial reduction in disk space usage
during make check-world, since that
sequence involves creation of numerous temporary installations.

Support time zone abbreviations that change UTC offset from time
to time (Tom Lane)

Previously, PostgreSQL assumed
that the UTC offset associated with a time zone abbreviation (such
as EST) never changes in the usage of any
particular locale. However this assumption fails in the real world,
so introduce the ability for a zone abbreviation to represent a UTC
offset that sometimes changes. Update the zone abbreviation
definition files to make use of this feature in timezone locales
that have changed the UTC offset of their abbreviations since 1970
(according to the IANA timezone database). In such timezones,
PostgreSQL will now associate the
correct UTC offset with the abbreviation depending on the given
date.

Update time zone abbreviations lists (Tom Lane)

Add CST (China Standard Time) to our lists. Remove references to
ADT as "Arabia Daylight Time", an
abbreviation that's been out of use since 2007; therefore, claiming
there is a conflict with "Atlantic Daylight
Time" doesn't seem especially helpful. Fix entirely
incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji);
we didn't even have them on the proper side of the date line.

Update time zone data files to tzdata release 2015a.

The IANA timezone database has adopted abbreviations of the form
AxST/AxDT for all Australian time zones,
reflecting what they believe to be current majority practice Down
Under. These names do not conflict with usage elsewhere (other than
ACST for Acre Summer Time, which has been in disuse since 1994).
Accordingly, adopt these names into our "Default" timezone abbreviation set. The
"Australia" abbreviation set now
contains only CST, EAST, EST, SAST, SAT, and WST, all of which are
thought to be mostly historical usage. Note that SAST has also been
changed to be South Africa Standard Time in the "Default" abbreviation set.

Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT
(Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there
were DST law changes in Chile, Mexico, the Turks & Caicos
Islands (America/Grand_Turk), and Fiji. There is a new zone
Pacific/Bougainville for portions of Papua New Guinea. Also,
numerous corrections for historical (pre-1970) time zone data.

Submit correction

If you see anything in the documentation that is not correct, does not match
your experience with the particular feature or requires further clarification,
please use
this form
to report a documentation issue.